Pwn2Own Contest to Focus on Industrial Control Systems

The popular Pwn2Own contest will focus on hacking industrial control systems and protocols when the event is held in Miami next year, according to the Zero Day Initiative, the organization that oversees the competition.

The competition, which started 2012, invites white hat hackers to discover vulnerabilities in software and devices and then develop exploits that are demonstrated at the contest. During the 2020 show, hackers are eligible for up to $250,000 in cash and other prizes.

Previous Pwn2Own contests have primarily focused on IT issues. Next year's focus on industrial control systems is a result of the growing concern that cybersecurity professionals have about the safety and viability of systems used to run electrical systems, power grids, water treatment plants and other critical infrastructure.

"ICS and SCDA [Supervisory Control and Data Acquisition] products are behind much of the critical infrastructure we depend on, but the security of these systems has not been subjected to much public scrutiny," Brian Gorenc, director of the Zero Day Initiative, tells Information Security Media Group. "Pwn2Own Miami affords us the opportunity to bring together independent researchers and our industry partners to help find vulnerabilities and get them fixed before attackers can exploit them."

Hacking ICS

As part of the competition, white hat hackers will demonstrate exploits in industrial control systems, which are generally defined as systems used to control industrial processes such as manufacturing, product handling, production and distribution controls, according to the National Institute of Standards and Technology.

To be considered for the contest, exploits of these industrial controls systems must be new and not previously seen in the wild. Once the exploits are demonstrated, the contest organizers will immediately contact the vendors whose technology is vulnerable so that patches can be developed, Zero Day Initiative notes.

Hackers will focus on five specific types of industrial control systems and protocols:

Control server;

OPC Unified Architecture (OPC UA) server;

DNP3 gateway;

Human Machine Interface (HMI) / Operator Workstation;

Engineering Workstation Software (EWS)/

While some industrial control systems are "air-gapped" - meaning that they are not connected to the internet - others are not. Gorenc notes that Human Machine Interfaces, a type of dashboard that connects an operator to equipment in a facility, now come with web interfaces and browsers that allow them to connect to the wider internet.

"We know some of the control servers and HMI [Human Machine Interface] have web server components, so they definitely can be affected by web-based exploits," Gorenc says. "This contest will help determine what else researchers can find. As with our other contests, Pwn2Own Miami seeks to harden these platforms by revealing vulnerabilities and providing that research to the vendors. The goal is always to get these bugs fixed before they're actively exploited by attackers."

Last March, the competition focused on the automobile industry for the first time, and a team of security researchers managed to hack a Tesla Model 3.

Mounting Security Challenges

Over the last several years, more security researchers have warned that industrial control systems are exposed to vulnerabilities that stem from the use of older software and hardware.

"Most of these controllers do not require authentication from those attempting to access them and alter their state. Most do not support encrypted communication," Mille Gandelsman, CTO of Indegy, notes in a blog post. "This means that anyone who has network access - a hacker, a malicious insider or even a careless employee - has unfettered access to the industrial process and can become a threat to the business."

Attackers have started to take notice of these flaws in industrial control systems.

For example, in June, Xenotime, a threat group that had previously targeted the oil and gas industry, shifted its focus to industrial control systems of power plants and utilities in the U.S., according to a report by security firm Dragos reports (see: Xenotime Group Sets Sights on Electrical Power Plants ).

About the Author

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority-rights and education.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;